Breaking POET Authentication with a Single Query 
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Abstract. In this short article, we describe a very practical and simple attack on the au- 
thentication part of POET authenticated encryption mode proposed at FSE 2014. POET is a 
provably secure scheme that was designed to resist various attacks where the adversary is 
allowed to repeat the nonce, or even when the message is output before verifying the validity 
of the tag when querying the decryption oracle. However, we demonstrate that using only 
a single encryption query and a negligible amount of computations, even without any spe- 
cial misuse from the attacker, it is possible to generate many valid ciphertext/tag pairs for 
POET. Our work shows that one should not use POET for any application where authentication 
property is required. Furthermore, we propose a possible patch to overcome this particular 
issue, yet without backing up this patch with a security proof. 
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Authenticated encryption is a very useful cryptographic primitive that might benefit many security 
engineers and protocol designers, as it provides both privacy and authenticity when sending data. In 
particular, it avoids the classical threat of a misinterpretation of the privacy-only security provided 
by a simple encryption mode. The encryption part usually takes as input a message M, some public 
associated data A, a public nonce value A, a secret key K, and it outputs a ciphertext C and a 
tag value T. Then a decryption part takes as input a ciphertext C, a tag value T, some public 
associated data A, a public nonce value A, a secret key K, and outputs either the original message 
M, or an error character _L if the authentication process is not valid. 

Many authenticated encryption solutions using existing components already exist (like using an 
encryption scheme for the privacy part and a MAC for the authenticity part), but a single primitive 
providing both properties at the same time, with a single core function, would potentially permit 
faster and simpler solutions. This line of research attracted a lot of attention, especially recently 
due to the incoming CAESAR authenticated competition [1] that will run from 2014 to 2017, and 
that will propose a portfolio of authenticated encryption solutions approved by the community. 

The topic of authenticated encryption is quite complex, as many parameters, security defini- 
tions, use-cases have to be considered. Yet, in the past years some very useful properties have been 
proposed, such as the so-called nonce-misuse resistance. This security property ensures that even 
when the attacker can ask for the encryption of several messages with the same nonce, the security 
of the scheme is not completely broken. One can cite for example modes such as SIV [6], COPA [3], 
McOE [5], ELmE [4] or POET [2] that use a block cipher as basic primitive (and thus can be directly 
instantiated with AES for example). Such schemes are interesting because reusing a nonce is really 
an issue that might arise in practical applications (due to the limitations in the possibilities of the 
upper protocol or hardware, or due to human error when implementing the scheme). 

In the same research direction, Flcischmann et al. [5] also identified decryption-misuse resistance 
to be an interesting property. A decryption-misuse authenticated encryption scheme can withstand 
adversaries that obtain the decryption of the queried ciphertext even thought the validity of the 
attached queried tag is not verified. Such adversaries are quite strong and model the fact that in 
practice it might be hard for some applications to wait for the tag to be verified before starting to 
output the plaintext during decryption (for example because the amount of memory is very small) . 

At FSE 2014, Abed et al. [2] proposed a scheme named POET, based on the POE family of 
online ciphers which are provably secure against chosen-ciphertext attacks (POE is itself based on 



a block cipher). This proposal contains a proof which stipulates that POET is a provably secure 
authenticated encryption scheme. Moreover, it only requires a single encryption per message block 
on average. Another advantage of this scheme is that it is pipelinable and thus allows more efficient 
implementations compared to fully sequential designs such as McOE. 



Our contributions. In this article, we show that POET (described in Section 1) is not a secure 
authenticated encryption scheme, even when not used in nonce-misuse nor decryption-misuse sce- 
nario. Our attack uses only a single query to the encryption oracle and a negligible amount of 
computations. The whole process is described in Section 2 and it allows to generate many valid 
ciphertext/tag pair and therefore breaks the authenticity property of the POET authenticated en- 
cryption mode. Then, we propose in Section 3 a potential simple patch to overcome this issue 
and hopefully recover the entire authenticity property expected for an authenticated encryption 
scheme. 



1 Description of POET 

POET is an authenticated encryption scheme proposed at FSE 2014 [2]. Even though it is based on 
POE family of online ciphers, we will describe POET directly. We denote Ek(P) the encryption of 
the plaintext P with the n-bit block cipher E initialized with the fc-bit key K (and Dk(C) will 
denote the decryption process of the ciphertext C with the key K). Furthermore, we denote Fk{-) 
the e-AXU family F of n-bit hash functions parameterized by K. 

POET encryption takes as input a variable-length message M and a variable-length header H, 
while it outputs a ciphertext C with |C| = \M\ and a tag value T. POET decryption takes as input 
a variable-length ciphertext C, a variable-length header H, a tag value T, and it outputs either 
a plaintext M with \M\ = \C\ or an error character _L in case the authenticity verification failed. 
Without loss of generality, we will assume in the rest of the article that the length of the messages 
is always a multiple of n and we denote m the number of message blocks, i.e. \M\ = m • n. The 
notation will refer to the i-th n-bit block of message (M — M\\ \ . . . ||M m ). We will also assume 
that the header length as well as the tag length is exactly one n-bit block. Our attack is completely 
independent of these assumptions, but they simplify its description. 
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Fig. 1. The POET authenticated encryption mode. 



A picture of POET encryption process is given in Figure 1. The keys Kq, Ki and K 2 are generated 
from the master key K, but we omit the method since it is not important for our attack (we will 
consider them to be three independent fc-bit keys) . The internal state of POET is composed of two 
n-bit values X and Y (respectively the upper and lower line) and we denote Xi and Yi the values 
before handling message block Mj. First, the header block is processed with Xq — Fk^I) © H 
and Y Q = F K2 (1) © E Ko (X 0 ), and a pretag value r is memorized r = Y 0 . Then the message 
blocks are processed with X i+ \ = Fk x {X{) © Mi and Y i+ \ = FK 2 (Yi) © Ek 0 {X i+ i), and the 
ciphertext Cj is simply Cj = i^+i. Only the last message block M m is treated differently as 



X m +i = F Kl (X m ) ®M m ® E Ko (\M\) and Y m+1 = F K . 2 (Y m ) ® E Ka (X m+1 ), and the ciphertext C m 
is simply C m = Y m+1 . Finally, once all the message blocks processed, the tag is computed with 
X m+2 = F Kl (X m+ i) ® r and T = F K2 (Y m+1 ) ffi E Ko (X m+2 ). 

We omit the POET verification/decryption part here, but we refer to [2] for a complete description 
of the process. 



2 The attack 



Our attack is very simple: the idea is to first query a message M composed of several blocks to 
the encryption oracle and obtain a ciphertext C and a tag T, and then to observe that this T is 
a valid tag for a new (and yet not queried) ciphertext build by adding any difference to the any 
block but the last two. This can be seen in Figure 2. 




Fig. 2. The single query attack on POET authenticated encryption mode. A difference Ao is inserted on Ci, 
but no difference is inserted on C2 and C3. 



In more details: we first pick a random message M composed of three n-bit blocks M = 
M1HM2II-M3 and a random header block H. We then query this pair (M,H) to the encryption ora- 
cle and obtain a ciphertext C = Ci\\C 2 \\C 3 and a tag T. Any pair (C",T) with C = C' X \\C' 2 \\G' 3 = 
C\ © IC2IIC3 and Aq a random n-bit value is a valid decryption pair, which breaks the authen- 
ticity property. We denote X[ and Y( the internal state values when processing ciphertext C (or 
corresponding message M'). Moreover, S(Xi) will represent the XOR difference between Xi and 
X'i (or Yi and Y{), i.e. 8(Xi) =X { ® X[. 

Now, let us explain why tag T is valid for ciphertext C . Since ^(C^) = 0, it means that 
S(Y 3 ) = 0 because C2 = Y 3 . Similarly, since 5(C 3 ) = 0, it means that SiY^) = 0 because C3 = Y 4 . 
Moreover, C 3 = F K2 (Y 3 ) ® E Ka (X 4 ), so we directly deduce that S(X 4 ) = 0. As 5{X 4 ) = 6(Y 4 ) = 0, 
the entire internal state (X 4 ,Y 4 ) does not contain any difference and it is obvious that this will 
lead to a collision on the tag value. Finally, with a negligible amount of computations, we are able 
to generate almost any number of valid ciphertext /tag pairs by asking only for single encryption 
query that must composed of at least 3 blocks. 

It is to be noted that we picked a random header value at the beginning of the attack. Therefore, 
even if a random nonce is inserted in the header, this will not change anything to our technique. 
Our attack is not based on any misuse from the adversary (like nonce-misuse or decryption-misuse) 
and works in the classical adversary scenario. Moreover, note also that we can similarly apply the 
technique on the header part of POET (again only if at least 3 blocks of header are processed) or 
one both the header and message part (by performing two separate state collisions). 



3 Patching POET 



Our attack uses the fact that each ciphertext output Ci is equal to the outcoming Y i+i value, due 
to a structural weakness of the design. In order to avoid this issue, we propose to use a different 
mixing function than d — Y i+i = FK 2 {Yi) © EK 0 (X i+ i), so that d and Y i+i are really made 
distinct, and in a Gi^(2)-non-linear way. The following update function seems to be quite efficient 
and prevents our attack: Q = 2 • F K2 (Yi) ® E Ka (X i+1 ) and Y i+1 = F K . 2 (Yi) ® E Ko (X i+1 ). We 
note that the idea of using a linear mixing was proposed by Datta et al. in [4], with the goal of 
obtaining a parallel online authenticated encryption. This proposal, ELmE, uses a linear mixing 
function p(x, y) = (x + (a + 1) ■ y, x + a ■ w), where a is a primitive element of the field GF(2 n ). 

We emphasize that this patch is a only proposal to avoid the attack presented in this article. 
While we are confident that it should not harm the basic POET design, a new proper security proof 
taking this update in account should be provided in order to confidently use this scheme. 

Conclusion 

In this article we have shown that POET is not a secure authenticated encryption mode, as authen- 
ticity notion can be easily broken with only a single encryption query. Therefore, POET should not 
be used in applications where authentication is a requirement. Patching POET with regards to this 
issue seems feasible, but we leave as future work a possible security proof. 
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